Games Like Fruit Ninja - Not Facebook - Get Worst Grades On App Privacy

One million Android apps have been indexed and graded as part of a landmark study into how much each one invades user privacy. Among the big offenders: mobile games like Fruit Ninja, Angry Birds and Despicable Me - apps that are often incidentally, used by kids. The best behaved A-grade players are social media bigwigs that get flak for their approach privacy: Facebook, Google Maps, YouTube and WhatsApp.

A team of researchers at Carnegie Mellon University put together the PrivacyGrade database, after helping the Federal Trade Commission weed out and fine Brightest Flashlight in December 2013, a popular Android app that was secretly sharing users’ location data with advertisers.

Their database lists the third-party "libraries" which most apps use. Libraries are pieces of code provided by ad networks like InMobi, Twitter’s MoPub, Facebook and Google Analytics, which app makers install and reuse. It’s the quickest and most popular way to build apps these days - akin to putting Lego blocks together rather than building everything from scratch.

Yet libraries are also responsible for the most sensitive data requests made by apps like Fruit Ninja and Angry Birds.

Lead researcher Jason Hong and his team trawled 1 million apps on Google Play and created a model that predicted people’s expectations for each one and the gap with the app’s actual behavior. For instance, their studies showed that most people didn’t expect Fruit Ninja to collect their location data, but they did expect Google Maps to do so. The gap of expectation led to a lower grade for Fruit Ninja.

“In some of our past research people were ok with ads and their data being used for advertising purposes,” Hong said in an interview, “but only if they were aware with what’s going on. When they don’t, it’s a problem.”

The FTC is overwhelmed by the number of apps, website and hardware it needs to regulate, says Hong, and the problem is made worse by the fact that app developers often don’t realize how much user data they’re siphoning away to advertisers (not so surprising since ads are their main meal ticket).

Ad networks rely on apps to gather as much detail as possible about users to create a composite profile, to be targeted with ads. “We talked to many app developers and many don’t know the full extent of what these libraries are doing,” Hong said.

Apps can do this in the most innocuous ways. Last month Twitter announced it was giving away new back-end tools for developers that would (it hoped) get them installing libraries for its mobile ad network MoPub. One of those tools collected app users’ phone numbers.

End users also often aren't aware of what’s happening with the data they share. While they might be ok with driving navigation app Waze collecting location data, for instance, many won’t know that the app also shares their anonymized location data with local governments.

Hong recommends that the FTC invest in better tools to detect privacy problems and scale up what its lawyers manually do today. The National Institute of Standards and Technology should also start holding conferences that teach best practices on privacy to developers, he says. The most egregious offenders should get a slap on the wrist to set the tone, he adds, and there should be clearer rules for advertisers to follow.

“App developers should have better tools and ways of conveying what’s going on," Hong said. "Advertisement by itself isn’t necessarily bad, but the way it’s done now which is surreptitious and surprising to people - that’s bad.”

I cover developments in AI, robotics, chatbots, digital assistants and emerging tech in Europe. I've spent close to a decade profiling the hackers and dreamers who are bringing the most cutting-edge technology into our lives, for better or worse. I'm the author of "We Are ...